Google Warns Apple: Missing Bugs in Your Security Bulletins Are 'Disincentive To Patch'

Apple has not documented some high-severity bugs it patched that were reported to it by Google's Project Zero researchers. From a report: While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed. This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years. Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for.

Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. "Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer. "In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."

Hard to argue it's much of a disincentive

[SuperKendall]

iOS12 despite being less than a month old, is on something like 50% of active devices now - who else achieves that kind of patch rate?

Most users will never even look at basic patch notes, much less security info. The people it might disincentive are maybe 0.00000000000000000000000000000000000001% of the user base.

Maybe.

That said I totally agree they SHOULD say when a security bug is fixed so at least everyone has a better idea of what has improved without testing.